diff options
| author | Zach Reizner <zachr@google.com> | 2019-06-26 14:22:08 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2019-06-27 20:51:15 +0000 |
| commit | 44863792aae915c0bc33155352ade8013144dcd3 (patch) | |
| tree | 12cf69d19d434e9744ce6b1ccd83f6862a05172c /src/linux.rs | |
| parent | 6160e479f6a5aad9cabf7d831ff63f4dd14e9704 (diff) | |
| download | crosvm-44863792aae915c0bc33155352ade8013144dcd3.tar crosvm-44863792aae915c0bc33155352ade8013144dcd3.tar.gz crosvm-44863792aae915c0bc33155352ade8013144dcd3.tar.bz2 crosvm-44863792aae915c0bc33155352ade8013144dcd3.tar.lz crosvm-44863792aae915c0bc33155352ade8013144dcd3.tar.xz crosvm-44863792aae915c0bc33155352ade8013144dcd3.tar.zst crosvm-44863792aae915c0bc33155352ade8013144dcd3.zip | |
main: add seccomp-log-failures flag to command line
All cros-debug versions of crosvm enabled seccomp logging, which is now
broken on kernels <4.4 thanks to new minijail changes as explained in
the referenced BUG. This seems to be intended by the minijail folks as
the aim to improve the seccomp logging in part by changing its semantics
to logging failures without killing the violating process. In such a
world, crosvm should not as a compile time choice, enable logging, which
would amount to disabling some of the security. This change adds a
command line flag to emulate the old behavior for the purposes of
developer debugging, as long as that developer is running on a kernel
that supports the new minijail seccomp filter failure logging.
BUG=chromium:978998
TEST=USE=cros-debug emerge-eve crosvm && cros deploy eve crosvm
then start crostini in UI
Change-Id: I98190a068a919929e466fe22d6d630b90a758336
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1679380
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Zach Reizner <zachr@chromium.org>
Auto-Submit: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'src/linux.rs')
| -rw-r--r-- | src/linux.rs | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/linux.rs b/src/linux.rs index 48cbe52..8d4a4ae 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -270,7 +270,11 @@ impl AsRawFd for TaggedControlSocket { } } -fn create_base_minijail(root: &Path, seccomp_policy: &Path) -> Result<Minijail> { +fn create_base_minijail( + root: &Path, + log_failures: bool, + seccomp_policy: &Path, +) -> Result<Minijail> { // All child jails run in a new user namespace without any users mapped, // they run as nobody unless otherwise configured. let mut j = Minijail::new().map_err(Error::DeviceJail)?; @@ -289,8 +293,9 @@ fn create_base_minijail(root: &Path, seccomp_policy: &Path) -> Result<Minijail> // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill // the entire device process if a worker thread commits a seccomp violation. j.set_seccomp_filter_tsync(); - #[cfg(debug_assertions)] - j.log_seccomp_filter_failures(); + if log_failures { + j.log_seccomp_filter_failures(); + } j.parse_seccomp_filters(seccomp_policy) .map_err(Error::DeviceJail)?; j.use_seccomp_filter(); @@ -308,7 +313,11 @@ fn simple_jail(cfg: &Config, policy: &str) -> Result<Option<Minijail>> { return Err(Error::PivotRootDoesntExist(pivot_root)); } let policy_path: PathBuf = cfg.seccomp_policy_dir.join(policy); - Ok(Some(create_base_minijail(root_path, &policy_path)?)) + Ok(Some(create_base_minijail( + root_path, + cfg.seccomp_log_failures, + &policy_path, + )?)) } else { Ok(None) } |